On February 5, 2024 11:17:12 PM GMT, Eric Biggers wrote:
>On Mon, Feb 05, 2024 at 02:44:14PM -0800, Kees Cook wrote:
>> On Mon, Feb 05, 2024 at 12:21:45PM -0800, Eric Biggers wrote:
>> > On Mon, Feb 05, 2024 at 01:12:30AM -0800, Kees Cook wrote:
>> > > Subject: Re: [PATCH v3 2/3] overflow: Intr
On Mon, Feb 05, 2024 at 02:44:14PM -0800, Kees Cook wrote:
> On Mon, Feb 05, 2024 at 12:21:45PM -0800, Eric Biggers wrote:
> > On Mon, Feb 05, 2024 at 01:12:30AM -0800, Kees Cook wrote:
> > > Subject: Re: [PATCH v3 2/3] overflow: Introduce add_wrap(), sub_wrap(),
> > > and mul_wrap()
> >
> > Mayb
On Mon, Feb 05, 2024 at 12:21:45PM -0800, Eric Biggers wrote:
> On Mon, Feb 05, 2024 at 01:12:30AM -0800, Kees Cook wrote:
> > Subject: Re: [PATCH v3 2/3] overflow: Introduce add_wrap(), sub_wrap(), and
> > mul_wrap()
>
> Maybe these should be called wrapping_add, wrapping_sub, and wrapping_mul?
On Mon, Feb 05, 2024 at 01:12:30AM -0800, Kees Cook wrote:
> Subject: Re: [PATCH v3 2/3] overflow: Introduce add_wrap(), sub_wrap(), and
> mul_wrap()
Maybe these should be called wrapping_add, wrapping_sub, and wrapping_mul?
Those names are more grammatically correct, and Rust chose those names t
On 2/5/24 03:12, Kees Cook wrote:
The check_*_overflow() helpers will return results with potentially
wrapped-around values. These values have always been checked by the
selftests, so avoid the confusing language in the kern-doc. The idea of
"safe for use" was relative to the expectation of wh
On 2/5/24 07:31, Marco Elver wrote:
On Mon, 5 Feb 2024 at 10:12, Kees Cook wrote:
Provide helpers that will perform wrapping addition, subtraction, or
multiplication without tripping the arithmetic wrap-around sanitizers. The
first argument is the type under which the wrap-around should hap
On Mon, Feb 05, 2024 at 01:48:51PM +0100, Geert Uytterhoeven wrote:
> On Mon, Feb 5, 2024 at 1:36 PM Kees Cook wrote:
...
> > +#define __strscpy_pad1(dst, src, size) sized_strscpy_pad(dst, src, size)
>
> (dst) etc.
Makes a little sense here. Are you expecting, e.g., dst to be 'a, b' (w/o
quote
On Mon, Feb 05, 2024 at 01:50:14PM +0100, Geert Uytterhoeven wrote:
> On Mon, Feb 5, 2024 at 1:36 PM Kees Cook wrote:
...
> > +#define strscpy(dst, src) sized_strscpy(dst, src, sizeof(dst))
>
> (dst), (src)
No need.
--
With Best Regards,
Andy Shevchenko
On Mon, 5 Feb 2024 at 10:12, Kees Cook wrote:
>
> Provide helpers that will perform wrapping addition, subtraction, or
> multiplication without tripping the arithmetic wrap-around sanitizers. The
> first argument is the type under which the wrap-around should happen
> with. In other words, these t
On Mon, 5 Feb 2024 at 13:59, Kees Cook wrote:
>
> On Mon, Feb 05, 2024 at 01:54:24PM +0100, Andrey Ryabinin wrote:
> >
> >
> > On 2/5/24 10:37, Kees Cook wrote:
> >
> > > ---
> > > include/linux/compiler_types.h | 9 -
> > > lib/Kconfig.ubsan | 14 +++
> > > lib/test_ubsan.c
Hi Kees,
On Mon, Feb 5, 2024 at 2:01 PM Kees Cook wrote:
> On Mon, Feb 05, 2024 at 01:47:08PM +0100, Geert Uytterhoeven wrote:
> > > +/*
> > > + * The 2 argument style can only be used when dst is an array with a
> > > + * known size.
> > > + */
> > > +#define __strscpy0(dst, src, ...) \
> >
On Mon, Feb 05, 2024 at 01:47:08PM +0100, Geert Uytterhoeven wrote:
> > +/*
> > + * The 2 argument style can only be used when dst is an array with a
> > + * known size.
> > + */
> > +#define __strscpy0(dst, src, ...) \
> > + sized_strscpy(dst, src, sizeof(dst) + __must_be_array(dst))
>
On Mon, Feb 05, 2024 at 01:47:08PM +0100, Geert Uytterhoeven wrote:
> On Mon, Feb 5, 2024 at 1:37 PM Kees Cook wrote:
...
> > +#define __strscpy1(dst, src, size) sized_strscpy(dst, src, size)
>
> (dst), (src), (size) etc.
No need.
...
> > +#define strscpy(dst, src, ...) \
> > + CON
On Mon, Feb 05, 2024 at 01:54:24PM +0100, Andrey Ryabinin wrote:
>
>
> On 2/5/24 10:37, Kees Cook wrote:
>
> > ---
> > include/linux/compiler_types.h | 9 -
> > lib/Kconfig.ubsan | 14 +++
> > lib/test_ubsan.c | 37 ++
> > lib/ubsan.c
On Mon, Feb 05, 2024 at 01:54:08PM +0100, Andrey Ryabinin wrote:
>
>
> On 2/2/24 10:55, Kees Cook wrote:
> > On Tue, Jan 30, 2024 at 03:46:38PM -0800, Kees Cook wrote:
> >> The kernel hardening efforts have continued to depend more and more
> >> heavily on UBSAN, so make an actual MAINTAINERS ent
On 2/5/24 10:37, Kees Cook wrote:
> ---
> include/linux/compiler_types.h | 9 -
> lib/Kconfig.ubsan | 14 +++
> lib/test_ubsan.c | 37 ++
> lib/ubsan.c| 68 ++
> lib/ubsan.h
On 2/2/24 10:55, Kees Cook wrote:
> On Tue, Jan 30, 2024 at 03:46:38PM -0800, Kees Cook wrote:
>> The kernel hardening efforts have continued to depend more and more
>> heavily on UBSAN, so make an actual MAINTAINERS entry for it.
>>
>> Cc: Andrey Ryabinin
>
> I don't see Andrey on lkml in almo
On Mon, Feb 05, 2024 at 12:29:21PM +0100, Marco Elver wrote:
> On Mon, 5 Feb 2024 at 10:37, Kees Cook wrote:
> >
> > In order to mitigate unexpected signed wrap-around[1], bring back the
> > signed integer overflow sanitizer. It was removed in commit 6aaa31aeb9cf
> > ("ubsan: remove overflow check
Hi Kees,
On Mon, Feb 5, 2024 at 1:36 PM Kees Cook wrote:
> The ARCH=um build has its own idea about strscpy()'s definition. Adjust
> the callers to remove the redundant sizeof() arguments ahead of treewide
> changes, since it needs a manual adjustment for the newly named
> sized_strscpy() export.
Hi Kees,
On Mon, Feb 5, 2024 at 1:36 PM Kees Cook wrote:
> Similar to strscpy(), update strscpy_pad()'s 3rd argument to be
> optional when the destination is a compile-time known size array.
>
> Cc: Andy Shevchenko
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Kees Cook
Thanks for you
Hi Kees,
On Mon, Feb 5, 2024 at 1:37 PM Kees Cook wrote:
> Using sizeof(dst) for the "size" argument in strscpy() is the
> overwhelmingly common case. Instead of requiring this everywhere, allow a
> 2-argument version to be used that will use the sizeof() internally. There
> are other functions i
Using sizeof(dst) for the "size" argument in strscpy() is the
overwhelmingly common case. Instead of requiring this everywhere, allow a
2-argument version to be used that will use the sizeof() internally. There
are other functions in the kernel with optional arguments[1], so this
isn't unprecedente
In preparation for making strscpy_pad()'s 3rd argument optional, redefine
it as a macro. This also has the benefit of allowing greater FORITFY
introspection, as it couldn't see into the strscpy() nor the memset()
within strscpy_pad().
Cc: Andy Shevchenko
Cc: Andrew Morton
Cc: linux-hardening@vge
Similar to strscpy(), update strscpy_pad()'s 3rd argument to be
optional when the destination is a compile-time known size array.
Cc: Andy Shevchenko
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook
---
include/linux/string.h | 29 ++---
1 file changed, 18 in
The ARCH=um build has its own idea about strscpy()'s definition. Adjust
the callers to remove the redundant sizeof() arguments ahead of treewide
changes, since it needs a manual adjustment for the newly named
sized_strscpy() export.
Cc: Richard Weinberger
Cc: linux...@lists.infradead.org
Signed-o
Hi,
v2:
- add strscpy_pad() coverage
- fix up ARCH=um to handle the renaming
- use __must_be_array() to validate sizeof() usage
v1: https://lore.kernel.org/all/20240131055340.work.279-k...@kernel.org/
Make it possible for strscpy() and strscpy_pad() to use 2 arguments,
making "sizeof(dst)" be
On Mon, 5 Feb 2024 at 10:37, Kees Cook wrote:
>
> In order to mitigate unexpected signed wrap-around[1], bring back the
> signed integer overflow sanitizer. It was removed in commit 6aaa31aeb9cf
> ("ubsan: remove overflow checks") because it was effectively a no-op
> when combined with -fno-strict
On Mon, 5 Feb 2024 at 10:03, Kees Cook wrote:
>
> Silence a handful of W=1 warnings in the UBSan selftest, which set
> variables without using them. For example:
>
>lib/test_ubsan.c:101:6: warning: variable 'val1' set but not used
> [-Wunused-but-set-variable]
> 101 | int val1 =
In order to mitigate unexpected signed wrap-around[1], bring back the
signed integer overflow sanitizer. It was removed in commit 6aaa31aeb9cf
("ubsan: remove overflow checks") because it was effectively a no-op
when combined with -fno-strict-overflow (which correctly changes signed
overflow from b
This allows replacements of the idioms "var += offset" and "var -= offset"
with the inc_wrap() and dec_wrap() helpers respectively. They will avoid
wrap-around sanitizer instrumentation.
Add to the selftests to validate behavior and lack of side-effects.
Cc: Rasmus Villemoes
Cc: Mark Rutland
Cc
The check_*_overflow() helpers will return results with potentially
wrapped-around values. These values have always been checked by the
selftests, so avoid the confusing language in the kern-doc. The idea of
"safe for use" was relative to the expectation of whether or not the
caller wants a wrapped
Provide helpers that will perform wrapping addition, subtraction, or
multiplication without tripping the arithmetic wrap-around sanitizers. The
first argument is the type under which the wrap-around should happen
with. In other words, these two calls will get very different results:
mul_wr
Hi,
v3:
- reduce patches to just docs and new helpers; we don't need pointer fixes yet.
v2: https://lore.kernel.org/all/20240130220218.it.154-k...@kernel.org/
v1: https://lore.kernel.org/lkml/20240129182845.work.694-k...@kernel.org/
In preparation for gaining instrumentation for signed[1], unsig
Silence a handful of W=1 warnings in the UBSan selftest, which set
variables without using them. For example:
lib/test_ubsan.c:101:6: warning: variable 'val1' set but not used
[-Wunused-but-set-variable]
101 | int val1 = 10;
| ^
Reported-by: kernel test robot
34 matches
Mail list logo
